First malicious apps to exploit critical Android bug found in the wild

Researchers have spotted the first in-the-wild apps to exploit a critical Android vulnerability allowing attackers to inject malicious code into legitimate programs without invalidating their digital signature.

The two apps, distributed on unofficial Android marketplaces in China, help people find doctors and make appointments, according to a blog post published Tuesday by researchers from security firm Symantec. By exploiting the recently disclosed "master key" vulnerability—or possibly a separate Android flaw that's closely related (English translation here)—attackers were able to surreptitiously add harmful functions to the apps without changing the cryptographic signature that's supposed to ensure the apps haven't been modified.

"An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available," a Symantec researcher wrote. "Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions)."

A snippet of malicious code injected into a legitimate Android app.

Symantec

Despite its name, the master key vulnerability doesn't involve any cracking of the underlying cryptography in the Android security model. Rather, it hides two files with the same name inside an app's "APK." Short for Android package, APKs are in essence bit-compressing .ZIP archive files that use a different extension and contain specially named files inside. Android's cryptographic verifier checks signatures for the first instance of any file with duplicate names, according to Sophos's Paul Ducklin, but the installer extracts and deploys only the last version. The exploit, developed by researchers from security startup Bluebox, works by including an APK's digitally signed, legitimate file and a second file with the same name that's modified to do whatever the attacker wants.

A related attack works in much the same way, except it always involves stashing two different versions of a file titled classes.dex. It works only when the targeted file contained in an APK is of a specific byte length, so it's not as flexible as the master key attack. The mention of the classes.dex file in Tuesday's blog post from Symantec suggests the malicious apps may have made use of this related exploit. For an explanation of the classes.dex attack and how it differs from the master key exploit, see posts here and here from Kaspersky Lab and Sophos.

First but probably not the last

Google has already issued updates to prevent attackers from using the exploits to tamper with legitimate apps found in the official Play Marketplace. The company has also released updates to handset manufacturers and carriers. But given the track record of millions of Android phones that never, or only rarely, receive updates to patch dangerous security vulnerabilities, it's a fair bet that many handsets will remain vulnerable. Readers are strongly encouraged to obtain apps only from the Google Play marketplace and to think long and hard before changing default settings preventing the "side loading" of apps from alternative sources. A variety of apps, including this one from Bluebox and Norton Mobile Security from Symantec, will also flag apps modified by one or both of these exploits.

"in the wild" = "distributed on unofficial Android marketplaces in China" = "not many users in the Western world"?

Android has approximately 90% market share in China, but Google's presence is essentially zero:

Quote:

There are over 200 Android app stores available for end-users, the largest ones being Tencent, Qihoo 360, Wandouija, 91 Mobile, UCWeb, Baidu, D.cn and China Mobile’s app store, with almost no market share for Google Play and other Western channels.

We can be sure that anybody interested in exploiting this malware has zero specific interest in people's doctors' visits, but merely chose it as a convenient “go to market” strategy. For that matter, it wouldn't seem out of the realm of possibility, to have the virus repackage already-downloaded apps on the user's phone, putting the user's entire app collection at ongoing risk.

I wouldn't be too comfortable about this malware staying in the little niche it now occupies. IMO, the world is about to get familiar with the joys of virus scanners, and the never-ending cat-and-mouse of viruses that disable, spoof or even compromise common scanners' functions. I can't say I foresaw this exact scenario but danged if it wasn't foretold by hundreds.

my dad barely gets the concept of malware / phishing attacks on his computer ... trying to explain that the same concept might apply to his phone will most likely cause his mind to be blown ..

I can see a lot of very stupid individuals getting tricked by getting a link to this in their inbox ...

"Imagine how stupid the average person is ... now imagine that half the planet is even more stupid than that .. "

Your dad isn't stupid, he likely just considers other domains of knowledge more important and worthy of his time and energy, or never cared to delve deep into intricacies of software/Internet, or has some other form of life prioritisation. Same goes for just about everyone else. Lack of savvy in a specific domain (e.g. Software security) is almost never related to general intelligence or savvy in other domains.

This is one reason why it is so important to have widely available security updates that are so frictionless as possible to install. See Chrome as a perfect example.

Despite the fact that this will affect very few people, the prospect of running security software on my phone solely due to the gross negligence of the manufacturer for a device I bought this year is infuriating. I understand that the fuckwits who design phone hardware and software seem to think we're still in the embedded dark ages and that a phone is a glorified pocket calculator, but once something goes on the Internet and runs third-party code there is no excuse for this shit.

I know that getting even the kernel to run on phone hardware is difficult, but if the vendor can design the hardware, they can damn well program it. And if not, the carriers can stop locking people into contracts for products they don't intend to support.

I am wondering too if the users in risk are the one that modified the OS with rooted mode. I never touch that and my xperia ZL still have the same OS from factory, the only thing I did was updated to 4.2.2 from Sony.

It sounds like rooting is not the issue, just loading outside of the Google Play store. I have modified my settings to allow me to load apps from the Amazon App Store and from my employer (for the email client). If I download and run the wrong app, then I'll be infected.

"in the wild" = "distributed on unofficial Android marketplaces in China" = "not many users in the Western world"?

Android has approximately 90% market share in China, but Google's presence is essentially zero:

Quote:

There are over 200 Android app stores available for end-users, the largest ones being Tencent, Qihoo 360, Wandouija, 91 Mobile, UCWeb, Baidu, D.cn and China Mobile’s app store, with almost no market share for Google Play and other Western channels.

We can be sure that anybody interested in exploiting this malware has zero specific interest in people's doctors' visits, but merely chose it as a convenient “go to market” strategy. For that matter, it wouldn't seem out of the realm of possibility, to have the virus repackage already-downloaded apps on the user's phone, putting the user's entire app collection at ongoing risk.

I wouldn't be too comfortable about this malware staying in the little niche it now occupies. IMO, the world is about to get familiar with the joys of virus scanners, and the never-ending cat-and-mouse of viruses that disable, spoof or even compromise common scanners' functions. I can't say I foresaw this exact scenario but danged if it wasn't foretold by hundreds.

my dad barely gets the concept of malware / phishing attacks on his computer ... trying to explain that the same concept might apply to his phone will most likely cause his mind to be blown ..

I can see a lot of very stupid individuals getting tricked by getting a link to this in their inbox ...

"Imagine how stupid the average person is ... now imagine that half the planet is even more stupid than that .. "

Your dad isn't stupid, he likely just considers other domains of knowledge more important and worthy of his time and energy, or never cared to delve deep into intricacies of software/Internet, or has some other form of life prioritisation. Same goes for just about everyone else. Lack of savvy in a specific domain (e.g. Software security) is almost never related to general intelligence or savvy in other domains.

This is one reason why it is so important to have widely available security updates that are so frictionless as possible to install. See Chrome as a perfect example.

Despite the fact that this will affect very few people, the prospect of running security software on my phone solely due to the gross negligence of the manufacturer for a device I bought this year is infuriating. I understand that the fuckwits who design phone hardware and software seem to think we're still in the embedded dark ages and that a phone is a glorified pocket calculator, but once something goes on the Internet and runs third-party code there is no excuse for this shit.

I know that getting even the kernel to run on phone hardware is difficult, but if the vendor can design the hardware, they can damn well program it. And if not, the carriers can stop locking people into contracts for products they don't intend to support.

A bit melodramatic aren't you..? Yes the design is flawed. Most people who knew anything about Android understood this. Malware will hit ANY platform once it becomes a popular platform. Apple users are seeing the result of growing in their user base as well. As long as YOU don't do anything as stupid as downloading and installing apps not from official trusted source then you will be pretty safe. If you do then you deserve the headaches that are almost certain to come.

Despite the fact that this will affect very few people, the prospect of running security software on my phone solely due to the gross negligence of the manufacturer for a device I bought this year is infuriating. I understand that the fuckwits who design phone hardware and software seem to think we're still in the embedded dark ages and that a phone is a glorified pocket calculator, but once something goes on the Internet and runs third-party code there is no excuse for this shit.

I know that getting even the kernel to run on phone hardware is difficult, but if the vendor can design the hardware, they can damn well program it. And if not, the carriers can stop locking people into contracts for products they don't intend to support.

It takes a great deal of effort to download a fake application resulting in the exploit even being taken advantage of.

The reporting on the master key exploit is really horrible, the only people likely to even ever see a single file modified by this exploit, are users of unauthorized third-party application stores without any sort of review process.

If China has a huge market then those users will have to be more careful about the applications they download. Does not take a great of effort to verify a publisher of an application is actually the real publisher of an application.

Real applications WILL NOT change other applications, so if you only download REAL applications, you have nothing to worry about.

Running security software on your phone is dumb, there is also a third option, don't download and install applications beyond an email, twitter, ect client.

Do you really need that 3rd fart application or the fake Pokemon game?

my dad barely gets the concept of malware / phishing attacks on his computer ... trying to explain that the same concept might apply to his phone will most likely cause his mind to be blown ..

I can see a lot of very stupid individuals getting tricked by getting a link to this in their inbox ...

"Imagine how stupid the average person is ... now imagine that half the planet is even more stupid than that .. "

How does lack of understanding of malware or software translate into being stupid? My younger sister is a math teacher. She has 2 advanced degrees in mathematics yet computers stump her. She always calls me to help her when her computer does anything odd. Does that make her stupid?

If an Android user only downloads apps from the official Google Play store, and has not rooted their phone, are they at risk from this or not?

Or is it too soon to tell?

Unfortunately they might be at risk too, judging by the last paragraph of the article. Google said they had fixed the Play store to detect/block this exploit, but people have found accidental instances of the exploit in some Play Store apps.

MartinHatch wrote:my dad barely gets the concept of malware / phishing attacks on his computer ... trying to explain that the same concept might apply to his phone will most likely cause his mind to be blown ..

I can see a lot of very stupid individuals getting tricked by getting a link to this in their inbox ...

"Imagine how stupid the average person is ... now imagine that half the planet is even more stupid than that .. "

I wish I could be half as superior as you appear to think you are.

Maybe instead of calling people stupid you could perhaps help to educate them about what not to do?

After all, none of us can do anything much until we are taught the basics of any subject.

That includes you I would think...

Imagine how stupid a person is for posting a junk post like you have done...

If an Android user only downloads apps from the official Google Play store, and has not rooted their phone, are they at risk from this or not?

Or is it too soon to tell?

As stated in the article:

Quote:

Google has already issued updates to prevent attackers from using the exploits to tamper with legitimate apps found in the official Play Marketplace. The company has also released updates to handset manufacturers and carriers. But given the track record of millions of Android phones that never, or only rarely, receive updates to patch dangerous security vulnerabilities, it's a fair bet that many handsets will remain vulnerable. Readers are strongly encouraged to obtain apps only from the Google Play marketplace and to think long and hard before changing default settings preventing the "side loading" of apps from alternative sources.

So as far as we know, the exploit can't be used to modify apps available in Google Play. And by default, Android phones can't download apps from other sources. Phones that have the update released by Google are safe from this exploit even when they've been configured to side load apps from other sources. Does that make sense? Does that answer your questions?

My understanding is that alternative markets are extremely popular sources of legitimate applications in certain parts of the world. So while it's easy for people in the US and Europe to use only the Google Play Market, that advice may not be so easy to follow by people in, say, China. Does anyone have more experience with Google apps in Asia and other parts of the world?

If an Android user only downloads apps from the official Google Play store, and has not rooted their phone, are they at risk from this or not?

Or is it too soon to tell?

As stated in the article:

Quote:

Google has already issued updates to prevent attackers from using the exploits to tamper with legitimate apps found in the official Play Marketplace. The company has also released updates to handset manufacturers and carriers. But given the track record of millions of Android phones that never, or only rarely, receive updates to patch dangerous security vulnerabilities, it's a fair bet that many handsets will remain vulnerable. Readers are strongly encouraged to obtain apps only from the Google Play marketplace and to think long and hard before changing default settings preventing the "side loading" of apps from alternative sources.

So as far as we know, the exploit can't be used to modify apps available in Google Play. And by default, Android phones can't download apps from other sources. Phones that have the update released by Google are safe from this exploit even when they've been configured to side load apps from other sources. Does that make sense? Does that answer your questions?

My understanding is that alternative markets are extremely popular sources of legitimate applications in certain parts of the world. So while it's easy for people in the US and Europe to use only the Google Play Market, that advice may not be so easy to follow by people in, say, China. Does anyone have more experience with Google apps in Asia and other parts of the world?

It amazes me that some technically savvy people are so arrogant as to believe that others whose specialties lie in other areas are stupid. Just because someone knows how to do other things (that you'll almost certainly never know how to do) and hasn't been interested in something that's intensely interesting to you, that doesn't make the other person stupid or foolish or anything else other than different from you. The attitude that prevails among a lot of allegedly smart tech people is that problems such as this aren't important because it wouldn't affect the way they use a computer/smartphone and because they understand enough (and keep up with enough tech news) to avoid it. Please understand that there are millions and millions of highly intelligent people who know more than you'll ever know about their own fields, but who don't care about technology. If you're one of those who looks down on others in this way, you're foolish and arrogant.

]So as far as we know, the exploit can't be used to modify apps available in Google Play. And by default, Android phones can't download apps from other sources. Phones that have the update released by Google are safe from this exploit even when they've been configured to side load apps from other sources. Does that make sense? Does that answer your questions?

That are two different angles even for apps from other sources.

Number one, they updated Android to patch the exploit. This will take a long time to trickle down to users.

Number two, the remotely updated Google Play services includes a package installer that now sends the signature of apps from third-party stores to Google for verification (it can flag apk's before they are installed, this is optional but recommended). Does this package installer (which works on every Google Play device from Froyo up) flag these apps? I would assume yes, that it would apply the same verifications that Google Play does, but could you press Google on this issue?

My understanding is that alternative markets are extremely popular sources of legitimate applications in certain parts of the world. So while it's easy for people in the US and Europe to use only the Google Play Market, that advice may not be so easy to follow by people in, say, China. Does anyone have more experience with Google apps in Asia and other parts of the world?

Alternative markets are a big thing in China and Russia; devices devoid of Google Play, are a big thing as well. But many of those devices don't follow the Android Compatibility Definition Document, and don't pass the Compatibility Test Suite. If trademarks were an enforced thing they couldn't even be called Android. This vulnerability is serious for those devices, and will go on unupdated. But there is very little Google or the Open Handset Alliance can do about that, and they did it: the patch is upstream, ready to be applied.

Number two, the remotely updated Google Play services includes a package installer that now sends the signature of apps from third-party stores to Google for verification (it can flag apk's before they are installed, this is optional but recommended). Does this package installer (which works on every Google Play device from Froyo up) flag these apps? I would assume yes, that it would apply the same verifications that Google Play does, but could you press Google on this issue?

For the seven years I've covered security, Google has almost never granted my requests for on-the-record interviews and frequently won't even issue written statements responding to questions such as these.I have pressed their PR people as hard as I can and that's the way it has remained. To be fair, Apple is even less forthcoming, and Microsoft is only very slightly more so.

So unfortunately, I can't answer your specific questions. The best I can do is relay a message sent earlier this month from a Google spokeswoman in response to a previous article I wrote on the master key vulnerability:

"I can confirm that a patch has been provided to our partners - some OEMs, like Samsung, are already shipping the fix to their Android devices. We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue - and Google's Verification Tool provides protection for Android users who download apps to their devices outside of Google Play."

For that matter, it wouldn't seem out of the realm of possibility, to have the virus repackage already-downloaded apps on the user's phone, putting the user's entire app collection at ongoing risk.

Yes it is pretty much out of the realm of possibility.

On Android, only apps installed on the readonly /system partition can install (or modify) applications on a device. All apps capable of doing so (Google Play, Google's Verification Tool, "Samsung Apps", the default package installer, etc) only do so with user intervention. An app that wants to install another app, must ask the package installer to install it, which triggers user intervention. Even with root, the privilege escalation requires user intervention.

So barring other vulnerabilities, a virus can't spread on Android. So we're talking malware, trojans, not viri. Besides, it's not really feasible to trigger a dialog for every app you want to install. Without root, you're toast.

It amazes me that some technically savvy people are so arrogant as to believe that others whose specialties lie in other areas are stupid.

It could easily be argued that the more important something is in your daily life, the more dangerous it is to be ignorant about how it works. It's easier to get scammed, to over pay, and to operate something in a dangerous or unsafe manner when you don't understand anything more than how to use it at a superficial level.

Quote:

Just because someone knows how to do other things (that you'll almost certainly never know how to do) and hasn't been interested in something that's intensely interesting to you, that doesn't make the other person stupid or foolish or anything else other than different from you.

Perhaps, depends on the field. Computers are so involved in our daily lives that computer literacy and computer safety are actually extremely important. Yet we actively defend people for knowing so little as to be a threat to themselves.

Quote:

Please understand that there are millions and millions of highly intelligent people who know more than you'll ever know about their own fields, but who don't care about technology.

You can only not care about technology if you don't take advantage of it. I don't know of anyone alive whose life isn't directly impacted by technology. More so when you come to work with computers and other devices on a daily basis. Perhaps if more people were aware of these issues, carriers and handset vendors wouldn't be able to get away with their tendency to abandon handsets and other devices on a whim.

Quote:

If you're one of those who looks down on others in this way, you're foolish and arrogant.

I can't say I look down on them, only that I feel we need society-wide education to eliminate the black box. I look down on those who defend such ignorance, however. Education is always a way forward.

If an Android user only downloads apps from the official Google Play store, and has not rooted their phone, are they at risk from this or not?

Or is it too soon to tell?

I think it's too soon to tell. Users are probably safe but they might not be.

It has apparently been patched in the latest version of android, and google claims to be scanning the store for apps doing this kind of stuff, but details are scarce we don't know enough yet to confirm if either of those are actually true. The article says this exploit may be using a similar but different vulnerability, which might be enough to slip through the play store's malware scanner, and almost nobody has the latest version of android.

My advice is to stick to the play store, and stick to apps by reputable app developers, and be sure to skim read the recent reviews before installing.

Would be interesting to know the exact numbers on monetary losses incurred due to this novel malware. Will adjust spending on security solutions accordingly.

I wouldn't even dream of installing any "security solution" on a device powered by a battery.

Malware scanners will always impact battery life, often significantly so. It's just not worth it, better to make sure you don't get the thing installed in the first place - easy to do if you follow my advice a couple comments ago.

At this point this is something for Google and smartphone manufacturers and app developers to stress about. It's not appropriate yet for end users to take any action except stick to reputable sources for their apps.

Hopefully soon android will have a better model for deploying security updates and then the whole problem should go away (at least for hardware sanctioned by google).

"in the wild" = "distributed on unofficial Android marketplaces in China" = "not many users in the Western world"?

China is the market that drives Android. The US is a very, very distant second.

Chinese smartphone sales averaged 830,000 per day last quarter. Android takes around 90% of that, or 750,000 per day. Daily Android activations peaked around 1.5 million during that period, so China accounts for at least 1 out of every 2 Android activations, and that number is only rising.

In comparison, we know from carrier activations that Verizon, AT&T, and Sprint activated around 100,000 Android devices daily during the Q2 timeframe. Even if we assume that T-Mo and the small prepaids boost that number by 50%, that's still only 150,000 daily US activations. So US accounts for 1 out of 10 activations at best.

It amazes me that some technically savvy people are so arrogant as to believe that others whose specialties lie in other areas are stupid. Just because someone knows how to do other things (that you'll almost certainly never know how to do) and hasn't been interested in something that's intensely interesting to you, that doesn't make the other person stupid or foolish or anything else other than different from you. The attitude that prevails among a lot of allegedly smart tech people is that problems such as this aren't important because it wouldn't affect the way they use a computer/smartphone and because they understand enough (and keep up with enough tech news) to avoid it. Please understand that there are millions and millions of highly intelligent people who know more than you'll ever know about their own fields, but who don't care about technology. If you're one of those who looks down on others in this way, you're foolish and arrogant.

The question is, are they bad at computers because they are ignorant/lazy or because they just flat out can't understand it? I look down on the former and not the latter.

It amazes me that some technically savvy people are so arrogant as to believe that others whose specialties lie in other areas are stupid. Just because someone knows how to do other things (that you'll almost certainly never know how to do) and hasn't been interested in something that's intensely interesting to you, that doesn't make the other person stupid or foolish or anything else other than different from you. The attitude that prevails among a lot of allegedly smart tech people is that problems such as this aren't important because it wouldn't affect the way they use a computer/smartphone and because they understand enough (and keep up with enough tech news) to avoid it. Please understand that there are millions and millions of highly intelligent people who know more than you'll ever know about their own fields, but who don't care about technology. If you're one of those who looks down on others in this way, you're foolish and arrogant.

The question is, are they bad at computers because they are ignorant/lazy or because they just flat out can't understand it? I look down on the former and not the latter.

I define "stupid" as a person who has a brain but refuses to use it.

So it's lazy to not know everything about everything?

Get off your high horse. Different people have different priorities in life. Not everyone wants to spend even a nanosecond thinking about how their phone works. And they shouldn't have to.